njrat | eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96

General

Target

eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe
Size

246KB
MD5

66a37d7b13902048a7b947785c990910
SHA1

c845c1c9ba6e5d07404600e2e2f1b674f5e9e485
SHA256

eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96
SHA512

759b9a3ca40fd89140285dbc32b25b56d9ffa1c64adbf240e5b175dc0e9b0c26ff4ff6bffe397c31e8cefa38c0cc93b2c818ee2a23898dad5a8dba52baeaab30
SSDEEP

6144:jfMrmQ0hVh5kIr06t5J2wiAksaDlRCDeu3OmDv5r9S4vPMHie3Fg1SAuK1:gqr0IJJzdahRCau3lvd3MzWG

Score

10^/10

njrat ابو فرنقع evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ابو فرنقع

C2

xk03.no-ip.biz:5552

Mutex

c294eacc4eeb89346402ee701c9e81b9

Attributes

reg_key
c294eacc4eeb89346402ee701c9e81b9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1972	bb.exe
472	bb.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
932	netsh.exe

Loads dropped DLL 2 IoCs

pid	Process
1064	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe
1972	bb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\c294eacc4eeb89346402ee701c9e81b9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bb.exe\" .."	bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c294eacc4eeb89346402ee701c9e81b9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bb.exe\" .."	bb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1972 set thread context of 472	1972	bb.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe
Token: SeDebugPrivilege	1972	bb.exe
Token: SeDebugPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe
Token: 33	472	bb.exe
Token: SeIncBasePriorityPrivilege	472	bb.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1624 wrote to memory of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1624 wrote to memory of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1624 wrote to memory of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1624 wrote to memory of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1624 wrote to memory of 1064	1624	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	28
PID 1064 wrote to memory of 1972	1064	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	29
PID 1064 wrote to memory of 1972	1064	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	29
PID 1064 wrote to memory of 1972	1064	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	29
PID 1064 wrote to memory of 1972	1064	eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe	29
PID 1972 wrote to memory of 472	1972	bb.exe	30
PID 1972 wrote to memory of 472	1972	bb.exe	30
PID 1972 wrote to memory of 472	1972	bb.exe	30
PID 1972 wrote to memory of 472	1972	bb.exe	30
PID 1972 wrote to memory of 472	1972	bb.exe	30
PID 1972 wrote to memory of 472	1972	bb.exe	30
PID 472 wrote to memory of 932	472	bb.exe	31
PID 472 wrote to memory of 932	472	bb.exe	31
PID 472 wrote to memory of 932	472	bb.exe	31
PID 472 wrote to memory of 932	472	bb.exe	31

C:\Users\Admin\AppData\Local\Temp\eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe
"C:\Users\Admin\AppData\Local\Temp\eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe
  C:\Users\Admin\AppData\Local\Temp\eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\bb.exe
    "C:\Users\Admin\AppData\Local\Temp\bb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\bb.exe
      C:\Users\Admin\AppData\Local\Temp\bb.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:472
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bb.exe" "bb.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bb.exe

Filesize
246KB

MD5
66a37d7b13902048a7b947785c990910

SHA1
c845c1c9ba6e5d07404600e2e2f1b674f5e9e485

SHA256
eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96

SHA512
759b9a3ca40fd89140285dbc32b25b56d9ffa1c64adbf240e5b175dc0e9b0c26ff4ff6bffe397c31e8cefa38c0cc93b2c818ee2a23898dad5a8dba52baeaab30

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb.exe

Filesize
246KB

MD5
66a37d7b13902048a7b947785c990910

SHA1
c845c1c9ba6e5d07404600e2e2f1b674f5e9e485

SHA256
eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96

SHA512
759b9a3ca40fd89140285dbc32b25b56d9ffa1c64adbf240e5b175dc0e9b0c26ff4ff6bffe397c31e8cefa38c0cc93b2c818ee2a23898dad5a8dba52baeaab30

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb.exe

Filesize
246KB

MD5
66a37d7b13902048a7b947785c990910

SHA1
c845c1c9ba6e5d07404600e2e2f1b674f5e9e485

SHA256
eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96

SHA512
759b9a3ca40fd89140285dbc32b25b56d9ffa1c64adbf240e5b175dc0e9b0c26ff4ff6bffe397c31e8cefa38c0cc93b2c818ee2a23898dad5a8dba52baeaab30

Download Submit
\Users\Admin\AppData\Local\Temp\bb.exe

Filesize
246KB

MD5
66a37d7b13902048a7b947785c990910

SHA1
c845c1c9ba6e5d07404600e2e2f1b674f5e9e485

SHA256
eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96

SHA512
759b9a3ca40fd89140285dbc32b25b56d9ffa1c64adbf240e5b175dc0e9b0c26ff4ff6bffe397c31e8cefa38c0cc93b2c818ee2a23898dad5a8dba52baeaab30

Download Submit
\Users\Admin\AppData\Local\Temp\bb.exe

Filesize
246KB

MD5
66a37d7b13902048a7b947785c990910

SHA1
c845c1c9ba6e5d07404600e2e2f1b674f5e9e485

SHA256
eb34997850c70a4d8e8a9eb0fee3e04b6bdc7aec72cdf6df0f3d63842d736a96

SHA512
759b9a3ca40fd89140285dbc32b25b56d9ffa1c64adbf240e5b175dc0e9b0c26ff4ff6bffe397c31e8cefa38c0cc93b2c818ee2a23898dad5a8dba52baeaab30

Download Submit
memory/1064-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1064-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1064-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1624-63-0x0000000004D35000-0x0000000004D46000-memory.dmp

Filesize
68KB

Download
memory/1624-54-0x0000000000CD0000-0x0000000000D14000-memory.dmp

Filesize
272KB

Download
memory/1624-56-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/1624-55-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1972-69-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1972-79-0x0000000004C95000-0x0000000004CA6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing